Efficient quantum processing of ideals in finite rings 
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Suppose we are given black-box access to a finite ring R, and a list of generators for an ideal I in 
R. We show how to find an additive basis representation for / in poly(log |_R|) time. This generalizes 
a recent quantum algorithm of Arvind et al. which finds a basis representation for R itself. We 
then show that our algorithm is a useful primitive allowing quantum computers to rapidly solve 
a wide variety of problems regarding finite rings. In particular we show how to test whether two 
ideals are identical, find their intersection, find their quotient, prove whether a given ring element 
belongs to a given ideal, prove whether a given element is a unit, and if so find its inverse, find 
the additive and multiplicative identities, compute the order of an ideal, solve linear equations over 
rings, decide whether an ideal is maximal, find annihilators, and test the injectivity and surjectivity 
of ring homomorphisms. These problems appear to be hard classically. 
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Here we present quantum algorithms for several prob- 
lems regarding finite rings. All of the algorithms run in 
time scaling polylogarithmically in the size of the ring. A 
ring is normally specified by a set of elements that gen- 
erate the ring via linear combination and multiplication, 
and an ideal is normally specified by a set of elements 
that generate the ideal via linear combination and multi- 
plication by arbitrary ring elements. To apply the known 
quantum techniques for Abelian groups we find sets that 
generate rings and ideals as Abelian groups, that is, by 
linear combination only. The problem of finding such a 
generating set for rings has been already solved by Arvind 
et o/.0. Our solution for ideals generalizes their result. 

As shown in Q, both integer factorization and graph 
isomorphism reduce to the problem of counting automor- 
phisms of rings. This counting problem is contained in 
AMncoAM. Therefore it is unlikely to be NP-hard. In- 
teger factorization also reduces to the problem of finding 
nontrivial automorphisms of rings and to the problem of 
finding isomorphisms between two rings. Furthermore, 
graph ismorphism reduces to ring isomorphism for com- 
mutative rings. Thus these ring automorphism and iso- 
morphism problems are attractive targets for quantum 
computation. Perhaps the quantum algorithms given in 
this paper can serve as steps toward efficient quantum 
algorithms for some of these problems. 

Let i? be a finite ring with identity, which need not 
be commutative. Let R = {ri, . . . , r„} be a subset of R 
such that each element of R can be obtained by some 
sequence of additions and multiplications of elements of 
R. We say that i? is a generating set for R. Let / be the 
left ideal in R generated by /. That is, / is the smallest 
subset of R containing / that is closed under addition 
and closed under left multiplication by elements of R. 
Throughout this paper we mainly discuss left ideals. One 
can similarly define right ideals and two-sided ideals, and 
the generalization of our algorithms to these cases is a 
straightforward generalization. Note that R is itself an 
ideal in R. 

A left ideal / in a finite ring R forms an Abelian group 



(/, +) under addition. Any generating set {ai, . . . ,ai} 
for an Abelian group A yields a homomorphism from 
... X Zs, to A where si,...,s; are the orders 



Zsi X 

of ai. 



,ai. In additive notation, this homomorphism 

The structure 



=1 ^j^-j 



takes the integers zi , . . . , Z£ to 
theorem for finite Abelian groups states that there ex- 
ists a generating set for A such that this homomorphism 
is an isomorphism. We call this a generating set of the 
invariant factors, or i. f. generating set for short. The 
main tool in this paper is an efficient quantum algorithm 
to find an i. f. generating set for {!,+). No polynomial 
time classical algorithm for this problem is known. 

The computational difficulty of problems on rings may 
depend on how the algorithm is allowed to access the 
ring. We assume only blackbox access to the ring. 
That is, the ring elements are assigned arbitrary bit 
strings by some injective map rj and we have access to 
blackboxes implementing f^{ri{a),ri{b)) = rj{a -\- b) and 
/x (?7(a), 77(5)) — ri{a x 6). The ideal / is specified by a 
list of generators / ~ {ii, . . . , im} with m = 0(log |i?|). 
Given these inputs, our method for finding an i. f. gen- 
erating set for (/, -|-) proceeds in two steps. First we 
find a generating set for (/,+). Although the elements 
of / generate / as an ideal, they do not generate / as 
an Abelian group, that is, by addition only with no left- 
multiplication by R elements. After finding a generating 
set for (J, +) we then convert it to an i. f. generating set 
for (/, +) using the quantum algorithms of [sl, [Tlj. 

To find a generating set for (/,+), let Bi = I and 
apply the following iteration. Let Bk be the Abelian 
group additively generated by Bk- At the fc'^ step we 
search for an element i € I not contained in Bk- If we 
find one, we let Bk+i — B^U {i}. For some sufficiently 
large k, Bk = I, at which point the search for i fails and 
the process terminates. We now show in detail how this 
works and that we need at most log2 |/| iterations. 

Suppose we know Bk- To find an element of / not 
contained in Bk, we choose any generator r e i? of i?. 
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Let rBk = {rxja:: €E Bk}- We create the superpositions 
and 

Because Bk and ri?^ are Abelian groups whose genera- 
tors we know, these states can be created efficiently to 
polynomial precision using the results of [3, [HI . 

To determine the intersection of Bk and rBk we use 
the swap test to estimate the inner product {Bk\rBk). 
Polynomially many applications of the swap test yield 
{Bk\rBk) to 1/poly precision. Bk n rBk is a subgroup of 
Bk- Thus by Lagrange's theorem, either '^'j^^"^'' = 1 or 

^^'i^lf ''^ < ^ . These two cases can be distinguished with 
high reliability by swap tests, because 

If we find that l^ig!:^ < i then we choose an element 
i G rBk uniformly at random. We can do this using the 
techniques of ^3", Tl'l to find an i. f. generating set for Bk 
and then sampling uniformly from the product of cyclic 
groups to which Bk is isomorphic. Thus, along with i we 
get an expression for i as r times some linear combination 
of the elements of Bk- i is definitely contained in /, and 
with probability at least 1/2, i is not contained in Bk- If 
i e Bk then {Bk\i + Bk) = 1, otherwise {Bk\i + Bk) = 0. 
Thus, to determine whether i G Bk we create the states 
\Bk) and \i + Bk) and use the swap test, li i G Bk 
we choose a different random element of rBk and try 
again. With probability 1 — e, this process terminates in 
0(log(l/e)) time. Once it does, we let Bk+i = BkU {?}. 

If we instead find that ^';p''f = 1, we choose a dif- 
ferent r G R and swap test again. We keep repeating this 
process until we find some r G R such that '^'['b^^*' 7^ 1 
or we exhaust R. If l^';^''f^''l = 1 for all r e ^ we are 
done, because Bk — I- We can prove this with the fol- 
lowing lemma. 

Lemma 1 Let I he a left ideal generated by {ii, . . . , im} 
in a finite ring R. Let Bk be a subset of L containing 
{ii, . . . , im}. The set of ring elements Bk additively gen- 
erated by Bk is equal to I if and only if rBk Q Bk ^r G R. 

Proof: If rBk ^ Bk for all r G i? then, because i? is a 
generating set for R, rBk C Bk for all r G R. Thus, Bk is 
a left ideal in R. By construction, Bk contains ii, . . . , i™. 
By the definition of generators, / is the smallest left ideal 
in R containing Bk is also contained in /. 

Thus Bk = I. The converse follows immediately from 
the fact that / is a left ideal. □ 



In the above procedure, the time needed to obtain each 
additive generator is poly (log |i?|). Furthermore, every 
time we add another generator, we increase the size of 
the generated group by at least a factor of two. Thus, we 
need to perform the above iteration at most log2 |/| times. 
We can also in polynomial time obtain expressions for the 
elements of this set in terms of the original generators for 
/ by recursively composing the expressions we obtained 
at each step for i in terms of the preceding generators 
Bk- 

Once we have a set Bk of elements that generate / as an 
Abelian group, we can efficiently find an i. f. generating 
set for (J, as well as expressions for the i. f. generators 
as linear combinations of Bk using the techniques of [3, 
ITTI |. These techniques also efficiently yield the additive 
orders of the i. f. generators. 

After finding an i. f. generating set for (/, one would 
like to have a procedure to take a given element i € L and 
decompose it as a linear combination of these generators. 
Note that i is given as an arbitrary bit string from the 
encoding r/, so initially we know nothing about i. We 
can efficiently perform this decomposition as described 
below. 

Let G = X X ... X Z^^ x Z^, where si, . . . ,se 
are the orders of the i. f. generators hi, . . . ,ht and s is 
the order of i. Let 

f{ni,n2, . . .,ni,m) ^ T] + mi^ . 

This function hides the cyclic subgroup of G generated 
by 

{ni{i),n2{i),...,ni{i),-l), 

where ni{i), . . . ,ni{i) is the decomposition of i in terms 
of the i. f. generators: 

i = ^rij{i)hj. 

Using the polynomial time quantum algorithm for the 
Abelian hidden subgroup problem we thus recover 
this decomposition. 

Let {hi, . . . , hi} be an i. f. generating set for /. The 
multiplication in / can be fully specified by the tensor 
Mf^. defined by 

hih, =Y,Ml^hk. 
fc=i 

We can compute all l^ of the entries of M^^ by taking 
each pair hi , hj , using the multiplication oracle to find 
the bit string encoding their product, and then using the 
Abelian hidden subgroup algorithm to decompose the 
element represented by the resulting bit string, as de- 
scribed above. Together, the i. f. generators for /, their 
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orders, and the multiplication tensor are called a basis 
representation for /. The previous work of Arvind et al. 
shows how to efficiently quantum compute a basis repre- 
sentation in the special case that / is the entire ring R 
. The best existing classical algorithm for this problem 
requires order \R\ queries [l^. 

Given a basis representation for an ideal / it is straight- 
forward to construct a uniform superposition |/) over all 
elements of /. By constructing the superpositions |/) 
and I J) for two ideals / and J we can determine whether 
I = J using the swap test. By Lagrange's theorem, if 
I ^ J then (/| J) < 1/2. Thus we need only use 0(log(e)) 
swap tests to ensure that the chance of falsely conclud- 
ing / = J is at most e. After constructing |/) and being 
given a ring element r, we can use the addition black- 
box to construct the coset state \r + I). If r G / then 
the inner product of these states is one, and otherwise it 
is zero. Thus, the swap test on |/) and \r + I) tells us 
whether r G I. Given r G R, let Rr be the left ideal in 
R generated by r. Rr = i? if and only if r is a unit. If 
Rr 7^ R then Rr contains at most half the elements of R. 
Thus one can determine whether a given r e i? is a unit 
by constructing \Rr) and \R) and comparing them using 
the swap test. If r is a unit, then we can find its inverse 
using the quantum order finding algorithm [lo|. If r'^ = 1 
then r~^ = r'^~^. 

Suppose r is contained in the ideal /. To obtain an 
explicit construction for r in terms of the generators of 
/, we can first obtain a basis representation for /. We 
can obtain an expression for r as a linear combination of 
the basis for / by solving the Abelian hidden subgroup 
problem. From the algorithm for obtaining a basis rep- 
resentation for / we also obtain expressions for the basis 
elements in terms of the original generators of /. Thus 
one can efficiently convert the expression for r as a lin- 
ear combination of the basis representation for / into an 
expression for r in terms of the original generators for /. 

Suppose we are given generating sets for two ideals 
/ and J. We wish to find a basis for I H J. By tech- 
niques described above, we can create the superposition 
I J) over all elements of J, and we can find a basis repre- 
sentation for /. A reversible circuit for addition performs 
the unitary transformation U+\a)\b) = \a)\a + b). Thus, 
U+\a)\J) — U+\a)\a + J), where \a + J) is a superposi- 
tion over the coset a + J. li a E J then {a + J\J) = 1. 
Otherwise {a + J\J) — 0. Hence applying addition to 
the state J is an operation that "hides" the subgroup 
(/n J, 4-) of the group (/, +) of inputs. Thus, one can use 
the quantum algorithms for the Abelian hidden subgroup 
problem to find a set of generators for (/n J, +). From 
this we easily extract a basis representation. (Typically 
in a hidden subgroup problem one is given a blackbox 
that maps group elements to classical bit strings. This 
map is constant and distinct on cosets of the hidden sub- 
group. However, examining the algorithm of 9], one sees 
that it works just the same if the blackbox maps the dif- 
ferent cosets to any set of orthogonal states, the classical 
bit string states being just a special case.) 



If / and J are two ideals in R, one defines {I : J) = 
{x £ R\xJ C /}. (/ : J) is an ideal, and is called an 
ideal quotient or a colon ideal. (/ : J) is a subgroup 
of {R,+). Let U be the unitary transformation defined 
by U\x)\yi) . . . \y,n) = \x)\xji + yi) . . . \xjm + Vm) for 
all x,yi, . . . ,ym G R. Given quantum black boxes for 
arithmetic on R, U can be efficiently implemented by a 
quantum circuit. The states \xji + I) . . . \xjm + I) and 
\yii +!)■■■ \yjm + I) are identical if x and y belong to 
the same coset of (/ : J) in (i?, and are orthogonal 
if X and y come from different cosets. Thus, we can ef- 
ficiently find an additive generating set for (/ : J) by 
solving the Abelian hidden subgroup problem using U to 
hide (/ : J). 

The left annihilator ^5 of = {si,...,s„} C i? is 
defined as As = {x E R\xsi = 0, . . . , a;s„ = 0}. As 
forms a subgroup of (i?, +). The function on R given 
by fs{x) — {xsi, . . . ,xsn) hides this subgroup. Thus, 
after finding an i. f. generating set for R one can use 
the quantum algorithm for the Abelian hidden subgroup 
problem to find generators for any annihilator provided 
S is at most polynomially large. The same method will 
work if S is given by a polynomially large set of additive 
generators. 

Given generators for an ideal / in a finite ring, we can 
find the order of /, by finding an i. f. generating set for 
it and taking the product of the orders of the generators. 
Finding the order of a ring is a special case, as any ring 
is an ideal in itself. 

Suppose we are given a black-box implementing a ho- 
momorphism p : i? — s- i?' between two rings. Determin- 
ing whether p is injective is an Abelian hidden subgroup 
problem, where the kernel of p is the hidden subgroup 
in (i?, +). p is injective if and only if its kernel is {0}. 
Wc can efficiently find generators for the kernel of p by 
finding an i. f. generating set for R, and then solving 
the Abelian hidden subgroup problem. To determine 
whether p is surjective, we first compute the order of R' . 
Similarly, the image of p is a ring. If R is generated by 
{ri, . . . ,r„} then R' is generated by {p(ri), . . . ,p(r„)}. 
After querying the homomorphism black-box to obtain 
the generators {p{ri), . . . , p(r„)} we can compute the or- 
der of the ring they generate (i?') as described in the 
preceding paragraph, p is surjective if and only if the 
order of the image of p equals the order of R' . 

Suppose we wish to solve a linear equation ax = b over 
R. To do this we find an i. f. generating set {hi, . . . , hi} 
for R, and decompose a and b in terms of these generators 

a = J2t=i a^hi b = Yfi=i 

Let 

where Mlj,- is the multiplication tensor from the basis rep- 
resentation. Parametrize 

^i^i foi' integers 

xi, . . . , Xf,. Then, in an i. f. generating set, aa; = 5 if and 
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only if 

I 

'^AijXj = bi mod Si, (1) 

for each i = 1,2,...,^. (Here Si is the additive order 
of hi.) Wc can introduce additional integer unknowns 
ki, . . . ,ke and rewrite this as a system of linear diophan- 
tine equations: 

i 

^A.jXj + hsi^bi, i = l,2,...,e. (2) 

A solution to a system of m diophantine equations in n 
variables can be found in poly(?i, m) time using the clas- 
sical algorithms of Thus we can classically find an 
integer solution to equation [21 which has £ equations and 
2£ unknowns, in poly(i') time. Equation [2] is underte- 
dermined because the original system of equations [T] is 
modular. 

By a similar technique, we can find the identity in R. 
Again suppose we have computed a basis representation 
for R. Since the basis representation has the following 
property, 

nihi + . . . + riihi = ha ^ np = Sap 1 < /3 < ^ 

where Ui S Zf,. , an element r = identity 
if and only if 

TiM^j EE mod Sk 

i=l 

for all j'. A: = 1, 2, . . . , This is again a system of linear 
modular equations, which we can convert to a system of 
linear diophantine equations that we solve in polynomial 
time using[3|. Note that the quantum algorithm of [ij 
solves a very different problem although the authors refer 
to it as identity testing. 

In a black box ring, finding the additive identity is 
also nontrivial. Because all ring elements have additive 
inverses, we can choose any r G -R, find its order c using 
the quantum order finding algorithm [loj . find the ad- 
ditive inverse of r by computing (c — l)r, and find the 
additive identity by computing cr. The computation of 
cr and (c — l)r requires 0(log2 c) queries to /+. 

We now show how to efficiently determine whether a 
given two-sided ideal / is prime. Recall that an ideal / is 
prime if a5 e / implies that a € / or 6 e / for all a, 6 G i?, 
which is equivalent to the fact that the quotient ring S = 
Rjl does not have any zero-divisors. This already implies 
that 5* is a division ring (i.e., each non-zero element has 
a multiplicative inverse) since S is finite. Wedderburn's 
theorem shows that all finite division rings are finite fields 
Q- i?// a field implies / is maximal, thus / is prime 
implies / is maximal. The converse is also true. 



Let S* denote the group of units of the quotient ring 
S. We choose an element r uniformly at random in R. 
With probability at least 1/2 we have r ^ I. Once we 
obtain such r we determine the size of the (additively 
generated) cyclic subgroup (f) of S, where f denotes the 
image of r in 5 under the canonical projection. This can 
be done by applying Shor's period finding algorithm to 
the state (l/v^)X]x=o + I)) where g is a power 

of 2 with \S\^ < q < 2|S'p. This state can be prepared 
efficiently. 

If S" is a field, then with probability at least (p{\S\ — 
1)/\S\ > fi(l/log|S'|) we have (f) = S* where ip denotes 
Euler's toticnt function. This follows from the fact that 
the group of units of an arbitrary finite field with d 
element is cyclic of order d—1 and (p{m)/m ~ il(l/ logm) 
for integers m Q . If 5 is not a field, then S* cannot have 
order jS"! — 1 (otherwise every non-zero element would 
have a multiplicative inverse, implying that 5* is a field). 
If we find that 5 is a field then we know / is prime, other- 
wise / is not prime. The above procedure for determining 
whether the quotient ring S is a field can be applied to 
any finite blackbox ring, offering a simpler alternative to 
the algorithm in 2] . 

Our quantum algorithms for rings R also extend to 
i?-modules. Beyond this, we conjecture that our quan- 
tum algorithms apply to any category posessing a faithful 
functor to the category of Abelian groups. 

It would be interesting to find efficient quantum algo- 
rithms for deciding whether a given ideal / is principal 
and computing the g roup of units R* of R. The quan- 
tum algorithms in [3|, llll | make it possible to determine 
the structure of any finite abelian black-box group ac- 
cording to the structure theorem. So, the question arises 
naturally whether a similar quantum algorithm exists for 
decomposing finite black-box rings. More precisely, is it 
possible to efficiently learn the structure of a finite black- 
box ring according to a structure theorem in ring theory 
such as the Wedderburn-Artin theorem Q? 

It would be worthwhile to investigate whether the 
above algorithms extend to the case of infinite rings. 
It is not obvious that we can consider arbitrary infinite 
rings. However, it seems likely that the above algorithms 
could be extended to a black-box ring R which is endowed 
with a grading by Abelian groups Rq, Ri, R2, . ■ . and each 
component Rg is finite. Additionally, we would need a 
promise, making it possible to do all the computations in 
a component Rg for some g. For example, such a situa- 
tion occurs for polynomial rings over a finite field when 
the number of indeterminates is fixed. The complexity of 
the algorithms would then depend on the growth of the 
Hilbert function, which measures the dimension of the 
graded components Rg as i?o-modules. 
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